A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai

•

3 likes•1,603 views

Cysinfo Cyber Security Community

Technology

a look into the sanitizer family
by Akul Pillai

>_ whoami
● Akul Pillai (Twitter: @akulpillai)
● 2nd year CSE BTech Student @ Amrita School of
Engineering, Amritapuri
● aka k4iz3n, CTF Player @teambi0s
● Reverse Engineering and Binary Exploitation
● Organizing team @ InCTF and InCTFj

>_ Agenda
● What are Sanitizers?
○ Overview
○ Characteristics
● Address Sanitizer (ASan)
○ Usage & Working
● Undefined Behaviour Sanitizer (UBSan)
○ Usage & Working
● Sanitizers in Action (demos)

>_ What are Sanitizers?
● A family of dynamic testing tools available in Clang, GCC
and Xcode that allows you to perform runtime analysis on
your code.
● Detects bugs such as
○ buffer overflows
○ signed integer overflows
○ uninitialized memory reads
○ data races, etc
● An amazing fuzzer aid

>_ Types of Sanitizers
There are fundamentally 4 types of Sanitizers:
>_ Address Sanitizer
detects invalid address usage
bugs
>_ Undefined Behaviour Sanitizer
finds unspecified code semantic
bugs
>_ Thread Sanitizer
detects threading bugs
>_ Memory Sanitizer
finds uninitialized memory access
bugs

>_ Characteristics of Sanitizers
● Compiler Instrumented
○ The compiler adds checks inlined into the generated code
● Checks are performed dynamically during runtime
● A detailed report is created and outputted
Meaning only bugs that are encountered during execution
are reported.

>_ Agenda
● What are Sanitizers?
○ Types
○ Characteristics
● Address Sanitizer (ASan)
○ Usage & Working
● Undefined Behaviour Sanitizer (UBSan)
○ Usage & Working
● Sanitizers in Action (demos)

>_ Address Sanitizer (ASan)
● Open source tool developed by Google.
● Is a fast memory corruption bug detector
● ASan can detect:
○ Use after free (dangling pointer dereference)
○ Heap buffer overflow
○ Stack buffer overflow
○ Global buffer overflow
○ Use after return
○ Use after scope

>_ ASan - Usage
Ships with the following compilers, and can be enabled using
the following flags:
○ GCC & Clang: -fsanitize=address
○ Xcode : Runtime Sanitization > Enable Address Sanitizer

$>_ ASan - Working *address = ...; // or: ... = *address; if (IsPoisoned(address)) { ReportError(address, kAccessSize, kIsWrite); } *address = ...; // or: ... = *address; after instrumentation:$

>_ ASan - Memory Mapping
● Uses memory mapping in a way to optimize performance
● The virtual address space is divided into 2 disjoint
classes:
○ Main application memory (Mem): this memory is used by the regular
application code.
○ Shadow memory (Shadow): This memory contains the shadow values (or
metadata).

>_ ASan - Memory Mapping
0
7
6
5
4
3
2
1
-1
addressable
unaddressable/poisoned
shadow
8 bytes of main memory is
mapped to 1 byte of shadow
memory

$>_ ASan - Instrumentation shadow_address = MemToShadow(address); if (ShadowIsPoisoned(shadow_address)) { ReportError(address, kAccessSize, kIsWrite); } if (IsPoisoned(address)) { ReportError(address, kAccessSize, kIsWrite); } *address = ...; // or: ... = *address; using shadow memory:$

>_ Undefined Behaviour Sanitizer (UBSan)
● Undefined Behavior describes the result of any operation
with unspecified semantics, such as
○ dividing by zero
○ loading memory from a misaligned pointer
○ dereferencing a null pointer.
● UBSan detects:
○ out-of-bounds access of arrays
○ integer overflow
○ out-of-range casts to, from, or between floating-point types and
other types.

>_ UBSan - Usage
Ships with the following compilers, and can be enabled using
the following flags:
○ GCC & Clang: -fsanitize=undefined
○ Xcode : Runtime Sanitization > Enable Undefined Behaviour
Sanitizer

>_ UBSan - Working
-fsanitize=alignment
-fsanitize=bool
-fsanitize=builtin
-fsanitize=bounds
-fsanitize=enum
-fsanitize=float-cast-overflow
-fsanitize=nullability-arg
-fsanitize=object-size
-fsanitize=pointer-overflow
-fsanitize=return
-fsanitize=shift
-fsanitize=vptr

What's hot

What Can Compilers Do for Us?

National Cheng Kung University

The Internals of "Hello World" Program

National Cheng Kung University

The session: https://coscup.org/2022/en/session/AGCMDJ After Linux kernel boots, it will try to launch first process “init” in User Space. Then, the system begins the featured journey of the Linux distribution. This sharing takes Busybox as the example and shows that how does Linux kernel find the “init” which directs to the Busybox. And, what will Busybox do and how to get the console. Try to make it like a simple Linux system. Before Linux kernel launches “init” process, the file system and storage corresponding drivers/modules must be loaded to find the “init”. Besides, to mount the root file system correctly, the kernel boot command must include the root device and file system format parameters. On the other hand, the Busybox directed from “init” is a lightweight program, but has rich functions, just like a Swiss Army Knife. So, it is usually used on the simple environment, like embedded Linux system. This sharing will have a demo on a virtual machine first, then on the Raspberry Pi. Drafts: * https://hackmd.io/@starnight/Busbox_as_the_init * https://hackmd.io/@starnight/Build_Alpines_Root_Filesystem_Bootstrap Relate idea: https://hackmd.io/@starnight/Systems_init_and_Containers_COMMAND_Dockerfiles_CMD

Launch the First Process in Linux System

Jian-Hong Pan

Block I/O Layer Tracing: blktrace

Babak Farrokhi

Microkernel Evolution

National Cheng Kung University

GNU Toolchain is the de facto standard of IT industrial and has been improved by comprehensive open source contributions. In this session, it is expected to cover the mechanism of compiler driver, system interaction (take GNU/Linux for example), linker, C runtime library, and the related dynamic linker. Instead of analyzing the system design, the session is use case driven and illustrated progressively.

from Source to Binary: How GNU Toolchain Works

National Cheng Kung University

MCC CTF講習会 pwn編

hama7230

GNU ld的linker script簡介

Wen Liao

CyberChefの使い方（HamaCTF2019 WriteUp編）

Shota Shinogi

ATF(ARM Trusted Firmware)は、ARMv8では重要なソフトウェア。全体を利用するのではなく、その一部を利用可能。この資料では、BL31(EL3 Runtime Firmware)を単体で使う場合、どうすればいいのかを、Xilinx社のZynq UltraScale+ MPSoCを例に説明しています。 ATF (ARM Trusted Firmware) is an important software in ARMv8. Instead of using the whole, part of it is available. This document explains how to do when using BL31 (EL3 Runtime Firmware) alone, for example, with Xilinx's Zynq UltraScale + MPSoC.

ARM Trusted FirmwareのBL31を単体で使う！

Mr. Vengineer

Video: https://www.youtube.com/watch?v=FJW8nGV4jxY and https://www.youtube.com/watch?v=zrr2nUln9Kk . Tutorial slides for O'Reilly Velocity SC 2015, by Brendan Gregg. There are many performance tools nowadays for Linux, but how do they all fit together, and when do we use them? This tutorial explains methodologies for using these tools, and provides a tour of four tool types: observability, benchmarking, tuning, and static tuning. Many tools will be discussed, including top, iostat, tcpdump, sar, perf_events, ftrace, SystemTap, sysdig, and others, as well observability frameworks in the Linux kernel: PMCs, tracepoints, kprobes, and uprobes. This tutorial is updated and extended on an earlier talk that summarizes the Linux performance tool landscape. The value of this tutorial is not just learning that these tools exist and what they do, but hearing when and how they are used by a performance engineer to solve real world problems — important context that is typically not included in the standard documentation.

Velocity 2015 linux perf tools

Brendan Gregg

CXL_説明_公開用.pdf

Yasunori Goto

競技プログラミングにおけるコードの書き方とその利便性

Hibiki Yamashiro

NVDIMM (Non Volatile DIMM) is the most interesting device, because it has not only characteristic of memory but also storage. To support NVDIMM, Linux kernel provides three access methods for users. - Storage (Sector) mode - Filesystem DAX(=Direct Access) mode - Device DAX mode. In the above three methods, Filesystem DAX is the most expected access method, because applications can write data to the NVDIMM area directory, and it is easier to use than Device DAX mode. So, some software already uses it with official support. However, Filesystem-DAX is still "experimental status" in the upstream community due to some difficult issues . In this session, Yasunori Goto will talk to the forefront of the development of NVDIMM, and Ruan Shiyang will talk about his challenge with the latest status from Open Source Summit Japan 2020.

The Forefront of the Development for NVDIMM on Linux Kernel (Linux Plumbers c...

Yasunori Goto

Virtual Machine Constructions for Dummies

National Cheng Kung University

淺談探索 Linux 系統設計之道

National Cheng Kung University

仮想化技術によるマルウェア対策とその問題点

Kuniyasu Suzaki

Stack Smashing Protection(SSP) is one of the oldest and fundamental protections against exploits, and is now supported by most compilers and modern operating systems. One technique for SSP is using stack canaries, which verify if a stack buffer has been overflown by checking the integrity of a value stored immediately after the buffer. Previously, the main methods to bypass stack canaries were to exploit different vulnerabilities to either avoid the canary validation completely, or to provide the correct canary value by leaking the value. In this talk I will propose a new technique to bypass stack canaries in SSP which takes a different approach from the previous two methods.

Master Canary Forging by Yuki Koike - CODE BLUE 2015

CODE BLUE

Valgrind tutorial

Satabdi Das

BPF of Berkeley Packet Filter mechanism was first introduced in linux in 1997 in version 2.1.75. It has seen a number of extensions of the years. Recently in versions 3.15 - 3.19 it received a major overhaul which drastically expanded it's applicability. This talk will cover how the instruction set looks today and why. It's architecture, capabilities, interface, just-in-time compilers. We will also talk about how it's being used in different areas of the kernel like tracing and networking and future plans.

BPF - in-kernel virtual machine

Alexei Starovoitov

What's hot (20)

What Can Compilers Do for Us?

The Internals of "Hello World" Program

Launch the First Process in Linux System

Block I/O Layer Tracing: blktrace

Microkernel Evolution

from Source to Binary: How GNU Toolchain Works

MCC CTF講習会 pwn編

GNU ld的linker script簡介

CyberChefの使い方（HamaCTF2019 WriteUp編）

ARM Trusted FirmwareのBL31を単体で使う！

Velocity 2015 linux perf tools

CXL_説明_公開用.pdf

競技プログラミングにおけるコードの書き方とその利便性

The Forefront of the Development for NVDIMM on Linux Kernel (Linux Plumbers c...

Virtual Machine Constructions for Dummies

淺談探索 Linux 系統設計之道

仮想化技術によるマルウェア対策とその問題点

Master Canary Forging by Yuki Koike - CODE BLUE 2015

Valgrind tutorial

BPF - in-kernel virtual machine

Similar to A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai

0507 057 01 98 * Adana Cukurova Klima Servisleri

Adana Klima Servisi Bakım Montaj Taşıma Temizlik Tamir Arıza Teknik Servisleri

Optimizing mobile applications - Ian Dundore, Mark Harkness

ozlael ozlael

Manticore 6.pdf

SergeyNikolaev27

Analytics tools and Instruments

Krunal Soni

Microprocessors - 80386DX

PriyaDYP

The talk is about doing cleanup and refactor for legacy Python code base in a safer way. I introduced several existing tools for this task and demonstrated how (surprisingly) Python ast module can also help in this case. 中文摘要: 不管是 open source 專案還是工作上，經過長時間開發累積，source code 內可能會殘留許多不再需要的 code，造成維護以及 refactor 的困難，也造成新手 trace code 時的障礙。對 C/C++ 這類編譯式語言來說，開啟編譯器最佳化能自動清除 dead code，但對於 Python 這類動態語言，則沒有公認完美的方法。本議程分享一些相關經驗，佐以利用 Python AST 的簡易自製工具，討論如何從較複雜的 python source tree 中，安全的清除不再需要的 code。 Code: https://github.com/PCMan/python-find-unused-func

2018 cosup-delete unused python code safely - english

Jen Yee Hong

Introducing Parameter Sensitivity to Dynamic Code-Clone Analysis Methods

Kamiya Toshihiro

Bringing Oracle databases to the cloud involves major tectonic shifts: (1) hardware resources are no longer static and (2) expense model is “pay-per-use”. Previously, as long as your current servers were surviving the workload, no one cared whether they were under-utilized. Now, this difference can be immediately monetized because the resource elasticity means that you can give it back. As a result, the total quality of the code base (+performance tuning) has a direct impact on cost. This presentation will share some of the corresponding best practices: code instrumentation, profiling, code management, resource optimization etc. Overall, you can make your system cloud-friendly, but doing so takes explicit effort and serious thinking!

Server-Side Developmentfor the Cloud

Michael Rosenblum

Pointer

manish840

Computer Architecture and Organization

ssuserdfc773

Introduction to Parallelization ans performance optimization

CSUC - Consorci de Serveis Universitaris de Catalunya

Writing Applications for Scylla

ScyllaDB

grsecurity and PaX

Kernel TLV

Introduction to Parallelization ans performance optimization

CSUC - Consorci de Serveis Universitaris de Catalunya

Valgrind

aidanshribman

Performance analysis of sobel edge filter on heterogeneous system using opencl

eSAT Publishing House

PPT DMA.pptx

Abhishekkumarsingh630054

memory

teach4uin

SOSCON 2016 JerryScript

Samsung Open Source Group

An introduction to Symbolic Execution. Hands-on using the angr binary framework. hands-on material: https://github.com/ercoppa/symbolic-execution-tutorial reference: Roberto Baldoni, Emilio Coppa, Daniele Cono D'Elia, Camil Demetrescu, Irene Finocchi. A Survey of Symbolic Execution Techniques. ACM Computing Surveys (ACM CSUR), 51(3), 2018. http://season-lab.github.io/papers/survey-symbolic-execution-preprint-CSUR18.pdf

Symbolic Execution (introduction and hands-on)

Emilio Coppa

Similar to A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai (20)

0507 057 01 98 * Adana Cukurova Klima Servisleri

Optimizing mobile applications - Ian Dundore, Mark Harkness

Manticore 6.pdf

Analytics tools and Instruments

Microprocessors - 80386DX

2018 cosup-delete unused python code safely - english

Introducing Parameter Sensitivity to Dynamic Code-Clone Analysis Methods

Server-Side Developmentfor the Cloud

Pointer

Computer Architecture and Organization

Introduction to Parallelization ans performance optimization

Writing Applications for Scylla

grsecurity and PaX

Introduction to Parallelization ans performance optimization

Valgrind

Performance analysis of sobel edge filter on heterogeneous system using opencl

PPT DMA.pptx

memory

SOSCON 2016 JerryScript

Symbolic Execution (introduction and hands-on)

Recently uploaded

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Tata AIG General Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

A Principled Technologies deployment guide Conclusion Deploying VMware Cloud Foundation 5.1 on next gen Dell PowerEdge servers brings together critical virtualization capabilities and high-performing hardware infrastructure. Relying on our hands-on experience, this deployment guide offers a comprehensive roadmap that can guide your organization through the seamless integration of advanced VMware cloud solutions with the performance and reliability of Dell PowerEdge servers. In addition to the deployment efficiency, the Cloud Foundation 5.1 and PowerEdge solution delivered strong performance while running a MySQL database workload. By leveraging VMware Cloud Foundation 5.1 and PowerEdge servers, you could help your organization embrace cloud computing with confidence, potentially unlocking a new level of agility, scalability, and efficiency in your data center operations.

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Principled Technologies

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

Recently uploaded (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Automating Google Workspace (GWS) & more with Apps Script

GenAI Risks & Security Meetup 01052024.pdf

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

AWS Community Day CPH - Three problems of Terraform

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Axa Assurance Maroc - Insurer Innovation Award 2024

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

presentation ICT roal in 21st century education

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Tata AIG General Insurance Company - Insurer Innovation Award 2024

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Boost Fertility New Invention Ups Success Rates.pdf

Boost PC performance: How more available memory can improve productivity

🐬 The future of MySQL is Postgres 🐘

A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai

1. a look into the sanitizer family by Akul Pillai

2. >_ whoami ● Akul Pillai (Twitter: @akulpillai) ● 2nd year CSE BTech Student @ Amrita School of Engineering, Amritapuri ● aka k4iz3n, CTF Player @teambi0s ● Reverse Engineering and Binary Exploitation ● Organizing team @ InCTF and InCTFj

3. >_ Agenda ● What are Sanitizers? ○ Overview ○ Characteristics ● Address Sanitizer (ASan) ○ Usage & Working ● Undefined Behaviour Sanitizer (UBSan) ○ Usage & Working ● Sanitizers in Action (demos)

4. >_ What are Sanitizers? ● A family of dynamic testing tools available in Clang, GCC and Xcode that allows you to perform runtime analysis on your code. ● Detects bugs such as ○ buffer overflows ○ signed integer overflows ○ uninitialized memory reads ○ data races, etc ● An amazing fuzzer aid

5. >_ Types of Sanitizers There are fundamentally 4 types of Sanitizers: >_ Address Sanitizer detects invalid address usage bugs >_ Undefined Behaviour Sanitizer finds unspecified code semantic bugs >_ Thread Sanitizer detects threading bugs >_ Memory Sanitizer finds uninitialized memory access bugs

6. >_ Characteristics of Sanitizers ● Compiler Instrumented ○ The compiler adds checks inlined into the generated code ● Checks are performed dynamically during runtime ● A detailed report is created and outputted Meaning only bugs that are encountered during execution are reported.

7. >_ Agenda ● What are Sanitizers? ○ Types ○ Characteristics ● Address Sanitizer (ASan) ○ Usage & Working ● Undefined Behaviour Sanitizer (UBSan) ○ Usage & Working ● Sanitizers in Action (demos)

8. >_ Address Sanitizer (ASan) ● Open source tool developed by Google. ● Is a fast memory corruption bug detector ● ASan can detect: ○ Use after free (dangling pointer dereference) ○ Heap buffer overflow ○ Stack buffer overflow ○ Global buffer overflow ○ Use after return ○ Use after scope

9. >_ ASan - Usage Ships with the following compilers, and can be enabled using the following flags: ○ GCC & Clang: -fsanitize=address ○ Xcode : Runtime Sanitization > Enable Address Sanitizer

10. >_ ASan - Working *address = ...; // or: ... = *address; if (IsPoisoned(address)) { ReportError(address, kAccessSize, kIsWrite); } *address = ...; // or: ... = *address; after instrumentation:

11. >_ ASan - Memory Mapping ● Uses memory mapping in a way to optimize performance ● The virtual address space is divided into 2 disjoint classes: ○ Main application memory (Mem): this memory is used by the regular application code. ○ Shadow memory (Shadow): This memory contains the shadow values (or metadata).

12. >_ ASan - Memory Mapping 0 7 6 5 4 3 2 1 -1 addressable unaddressable/poisoned shadow 8 bytes of main memory is mapped to 1 byte of shadow memory

13. >_ ASan - Instrumentation shadow_address = MemToShadow(address); if (ShadowIsPoisoned(shadow_address)) { ReportError(address, kAccessSize, kIsWrite); } if (IsPoisoned(address)) { ReportError(address, kAccessSize, kIsWrite); } *address = ...; // or: ... = *address; using shadow memory:

14. >_ ASan - buffer overflow

15.

16.

17. >_ ASan - use after free

18.

19.

20. >_ Agenda ● What are Sanitizers? ○ Types ○ Characteristics ● Address Sanitizer (ASan) ○ Usage & Working ● Undefined Behaviour Sanitizer (UBSan) ○ Usage & Working ● Sanitizers in Action (demos)

21. >_ Undefined Behaviour Sanitizer (UBSan) ● Undefined Behavior describes the result of any operation with unspecified semantics, such as ○ dividing by zero ○ loading memory from a misaligned pointer ○ dereferencing a null pointer. ● UBSan detects: ○ out-of-bounds access of arrays ○ integer overflow ○ out-of-range casts to, from, or between floating-point types and other types.

22. >_ UBSan - Usage Ships with the following compilers, and can be enabled using the following flags: ○ GCC & Clang: -fsanitize=undefined ○ Xcode : Runtime Sanitization > Enable Undefined Behaviour Sanitizer

23. >_ UBSan - integer overflow

24.

25. >_ UBSan - Working demo

26. >_ UBSan - Working -fsanitize=alignment -fsanitize=bool -fsanitize=builtin -fsanitize=bounds -fsanitize=enum -fsanitize=float-cast-overflow -fsanitize=nullability-arg -fsanitize=object-size -fsanitize=pointer-overflow -fsanitize=return -fsanitize=shift -fsanitize=vptr

27. >_ UBSan - array out of bounds

28.

29. >_ UBSan - Working demo

30. >_ questions?

A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai

Similar to A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai (20)

More from Cysinfo Cyber Security Community

More from Cysinfo Cyber Security Community (20)

Recently uploaded

Recently uploaded (20)

A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai